Squid-kerberos
Version vom 16. Dezember 2016, 12:04 Uhr von David (Diskussion | Beiträge) (→on the top of /etc/squid/squid.conf add)
msktutils
- apt-get install msktutil
create computeraccount and a local keytab
- kinit administrator
PROXY="lang.linuggs.lan" DN="douglas.linuggs.lan"
- msktutil -c -b "CN=Computers" -s HTTP/$PROXY -k /etc/squid/PROXY.keytab --computer-name PROXYSRV-HTTP --upn HTTP/$PROXY --server $DN -N
chown proxy.proxy /etc/squid3/PROXY.keytab
/etc/default/squid3
KRB5_KTNAME=/etc/squid3/PROXY.keytab export KRB5_KTNAME
/etc/squid/squid.conf
coredump_dir /var/spool/squid3 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 access_log /var/log/squid/access.log squid dns_v4_first on # iptables command ... #iptables -t nat -A PREROUTING -j DNAT -i eth0 -p tcp --dport 80 --to 192.168.240.100:3128 http_port 3128 http_port 3129 transparent ##### #cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange #auth_param basic program /usr/lib/squid3/basic_ldap_auth -b "dc=xinux,dc=de" -f "uid=%s" -h 127.0.0.1 #auth_param basic children 50 #auth_param basic realm Web-Proxy #auth_param basic credentialsttl 1 minute #auth_param basic casesensitive off auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/PROXY.keytab -d -i -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive off #### acl auth proxy_auth REQUIRED acl xinux src 192.168.240.0/20 acl thomas src 192.168.244.0/24 acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl boese_seiten url_regex "/etc/squid3/boese_seiten" acl CONNECT method CONNECT ##http_access allow xinux_users #http_access allow xinux !boese_seiten #http_access allow manager localhost http_access allow all auth http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all #never_direct allow all
restart
service squid3 start
client Machine
Set your proxy to server dewey.xinux.org using port 3128. It is important that you use the fully qualified domain name and NOT the IP address.
debugging
sources
- http://roshan-g.blogspot.de/2014/05/squid-with-kerberos-and-ldap.html
- http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
- http://stackoverflow.com/questions/18075028/squid-integration-with-active-directory-best-practise
- http://manpages.ubuntu.com/manpages/trusty/man8/negotiate_kerberos_auth.8.html
- http://serverfault.com/questions/66556/getting-squid-to-authenticate-with-kerberos-and-windows-2008-2003-7-xp